From mboxrd@z Thu Jan  1 00:00:00 1970

Return-Path: <SRS0=/BGd=SD=vger.kernel.org=linux-kernel-owner@kernel.org>

X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on

	aws-us-west-2-korg-lkml-1.web.codeaurora.org

X-Spam-Level: 

X-Spam-Status: No, score=-7.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,

	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham

	autolearn_force=no version=3.4.0

Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])

	by smtp.lore.kernel.org (Postfix) with ESMTP id 5BCBAC43381

	for <linux-kernel@archiver.kernel.org>; Mon,  1 Apr 2019 20:16:59 +0000 (UTC)

Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])

	by mail.kernel.org (Postfix) with ESMTP id 31C4F20896

	for <linux-kernel@archiver.kernel.org>; Mon,  1 Apr 2019 20:16:59 +0000 (UTC)

Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand

        id S1726867AbfDAUQ5 (ORCPT

        <rfc822;linux-kernel@archiver.kernel.org>);

        Mon, 1 Apr 2019 16:16:57 -0400

Received: from mx1.redhat.com ([209.132.183.28]:52924 "EHLO mx1.redhat.com"

        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP

        id S1726284AbfDAUQ5 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);

        Mon, 1 Apr 2019 16:16:57 -0400

Received: from smtp.corp.redhat.com (int-mx07.intmail.prod.int.phx2.redhat.com [10.5.11.22])

        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))

        (No client certificate requested)

        by mx1.redhat.com (Postfix) with ESMTPS id 6BC20307D933;

        Mon,  1 Apr 2019 20:16:57 +0000 (UTC)

Received: from gimli.home (ovpn-116-99.phx2.redhat.com [10.3.116.99])

        by smtp.corp.redhat.com (Postfix) with ESMTP id AF2DC104C53F;

        Mon,  1 Apr 2019 20:16:52 +0000 (UTC)

Subject: [PATCH] vfio/type1: Limit DMA mappings per container

From:   Alex Williamson <alex.williamson@redhat.com>

To:     alex.williamson@redhat.com

Cc:     kvm@vger.kernel.org, linux-kernel@vger.kernel.org,

        eric.auger@redhat.com, cohuck@redhat.com

Date:   Mon, 01 Apr 2019 14:16:52 -0600

Message-ID: <155414977872.12780.13728555131525362206.stgit@gimli.home>

User-Agent: StGit/0.19-dirty

MIME-Version: 1.0

Content-Type: text/plain; charset="utf-8"

Content-Transfer-Encoding: 7bit

X-Scanned-By: MIMEDefang 2.84 on 10.5.11.22

X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.48]); Mon, 01 Apr 2019 20:16:57 +0000 (UTC)

Sender: linux-kernel-owner@vger.kernel.org

Precedence: bulk

List-ID: <linux-kernel.vger.kernel.org>

X-Mailing-List: linux-kernel@vger.kernel.org

Archived-At: <https://lore.kernel.org/lkml/155414977872.12780.13728555131525362206.stgit@gimli.home/>

List-Archive: <https://lore.kernel.org/lkml/>

List-Post: <mailto:linux-kernel@vger.kernel.org>

Memory backed DMA mappings are accounted against a user's locked

memory limit, including multiple mappings of the same memory.  This

accounting bounds the number of such mappings that a user can create.

However, DMA mappings that are not backed by memory, such as DMA

mappings of device MMIO via mmaps, do not make use of page pinning

and therefore do not count against the user's locked memory limit.

These mappings still consume memory, but the memory is not well

associated to the process for the purpose of oom killing a task.

To add bounding on this use case, we introduce a limit to the total

number of concurrent DMA mappings that a user is allowed to create.

This limit is exposed as a tunable module option where the default

value of 64K is expected to be well in excess of any reasonable use

case (a large virtual machine configuration would typically only make

use of tens of concurrent mappings).

This fixes CVE-2019-3882.

Signed-off-by: Alex Williamson <alex.williamson@redhat.com>

---

 drivers/vfio/vfio_iommu_type1.c |   14 ++++++++++++++

 1 file changed, 14 insertions(+)

diff --git a/drivers/vfio/vfio_iommu_type1.c b/drivers/vfio/vfio_iommu_type1.c

index 73652e21efec..7fc8fd7d4dc7 100644

--- a/drivers/vfio/vfio_iommu_type1.c

+++ b/drivers/vfio/vfio_iommu_type1.c

@@ -58,12 +58,18 @@ module_param_named(disable_hugepages,

 MODULE_PARM_DESC(disable_hugepages,

 		 "Disable VFIO IOMMU support for IOMMU hugepages.");

+static int dma_entry_limit __read_mostly = U16_MAX;

+module_param_named(dma_entry_limit, dma_entry_limit, int, 0644);

+MODULE_PARM_DESC(dma_entry_limit,

+		 "Maximum number of user DMA mappings per container (65535).");

+

 struct vfio_iommu {

 	struct list_head	domain_list;

 	struct vfio_domain	*external_domain; /* domain for external user */

 	struct mutex		lock;

 	struct rb_root		dma_list;

 	struct blocking_notifier_head notifier;

+	atomic_t		dma_avail;

 	bool			v2;

 	bool			nesting;

 };

@@ -836,6 +842,7 @@ static void vfio_remove_dma(struct vfio_iommu *iommu, struct vfio_dma *dma)

 	vfio_unlink_dma(iommu, dma);

 	put_task_struct(dma->task);

 	kfree(dma);

+	atomic_inc(&iommu->dma_avail);

 }

 static unsigned long vfio_pgsize_bitmap(struct vfio_iommu *iommu)

@@ -1081,8 +1088,14 @@ static int vfio_dma_do_map(struct vfio_iommu *iommu,

 		goto out_unlock;

 	}

+	if (!atomic_add_unless(&iommu->dma_avail, -1, 0)) {

+		ret = -ENOSPC;

+		goto out_unlock;

+	}

+

 	dma = kzalloc(sizeof(*dma), GFP_KERNEL);

 	if (!dma) {

+		atomic_inc(&iommu->dma_avail);

 		ret = -ENOMEM;

 		goto out_unlock;

 	}

@@ -1583,6 +1596,7 @@ static void *vfio_iommu_type1_open(unsigned long arg)

 	INIT_LIST_HEAD(&iommu->domain_list);

 	iommu->dma_list = RB_ROOT;

+	atomic_set(&iommu->dma_avail, dma_entry_limit);

 	mutex_init(&iommu->lock);

 	BLOCKING_INIT_NOTIFIER_HEAD(&iommu->notifier);